Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: GMail quirk used to subvert website spam tracking - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
GMail quirk used to subvert website spam tracking

Yesterday while reviewing our logs here at the SANS Internet Storm Center I stumbled upon these:

login failed for s.ervic.d.157.6@gmail.com
login failed for se.rv.icd.15.76@gmail.com
login failed for r.a.mo.s.odalys.33.3@gmail.com
login failed for sho.ppin.g48service@gmail.com

The reason this caught my eye is because I recall reading that GMail ignores periods in email addresses. For example, if I register alexs12345@gmail.com but then begin sending email to a.l.e.x.s.1.2.3.4.5@gmail.com, it will arrive in my new inbox despite the additional periods.

Many blog and forum platforms have functionality for banning by email address. Spammers can use the periods in GMail addresses to subvert such banning controls by registering again without having to produce a truly new email address. Do your systems and/or websites allow for registering multiple accounts this way?

Where this becomes more interesting is that these logs indicate visitors that tried to log in using these email addresses without having even attempted to register them first. None of the above logs come from a single IP address, though the first two do come from a single IP range. Is this due to a poorly programmed bot, or is it indicative of something else?

Let us know what you think in the comments!

-- 
Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

Alex Stanford

136 Posts
http://gmailblog.blogspot.de/2008/03/2-hidden-ways-to-get-more-from-your.html

It's an intentional feature of gmail to give its users more flexibility on how they use their email address. You can also use a plus "+" to append something to your gmail address. I've used this often for filtering e-mails. You can also determine who is distributing your email address if you use this when you register for a site by appending the sitename or some indicator to your email address: email+sans@gmail.com
Anonymous
I just tried sending an email w/ periods from my personal Gmail to my Google Apps account and it rejected. So I'm assuming this doesn't affected organizations within Google Apps?
Dean

135 Posts
Quoting Dean:I just tried sending an email w/ periods from my personal Gmail to my Google Apps account and it rejected. So I'm assuming this doesn't affected organizations within Google Apps?

Correct, it appears that this does not affect Google Apps but only @gmail.com addresses:
Quoting Google:Periods (.) are not ignored as they are in a gmail.com account. If you create a user account called username, this user will not be able to receive messages addressed to user.name, or us.er.na.me, or any other combination of periods.

Source: https://support.google.com/a/answer/33386?hl=en
Alex Stanford

136 Posts
just tested using a personal gmail account user.name@gmail.com and username+SANS@gmail.com
Both were delivered successfully
Dean

1 Posts
The "+" syntax is a standard, not a google-ism like the periods.
John Hardin

62 Posts

Sign Up for Free or Log In to start participating in the conversation!